Forgot Password
Pentax Camera Forums Home
 

Reply
Show Printable Version Search this Thread
02-04-2014, 06:04 AM - 16 Likes   #1
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Resurrecting Pentax firmware hacking

Resurrecting Pentax firmware hacking

I better start with an introduction as this is my first post. I own a K30 with a load of old manual lenses. I'm also a full time reverse engineer and I'm very interested in rebooting firmware hacking on the Pentax. However I need help and can't do it alone.

I've gone through all the previous posts on Pentax hacking as well as the useful but old Pentax hacking site. Based on this I've seen that the biggest problems for creating a hacked firmware are:
  • Need for experienced reverse engineers
  • Cost of the required tools such as IDA Pro
  • The FP instruction set

Luckily I can help with some of the above. First with experience. I'm a hardware hacker who previously ported CHDK to my Canon Powershot - I've got some experience in hacking firmware on cameras. Next with tooling, for the people who don't know you need an expensive dissasembler called IDA Pro. I have this and the tool that changes assembly into a higher level language - the decompiler. Finally is the instruction set. I've done a lot of work reverse engineering the chip that's inside the K30 and I believe newer models as well. This I think is a Fujitsu Milbeaut MB91696AM. The great thing about this is that it's based around a Dual core ARM Cortex M4 CPU. This means no horrible FP instruction set! It all ARM and that's what I'm good at.

My progress so far:
  • Decrypted the firmware
  • Performed a lot of reverse engineering. Large parts found including memory allocation functions, displaying text on screen etc
  • Found all the debug processing code
  • Found the firmware decryption routines
  • Written custom firmware that allows custom code to be run
  • Started the PHDK project

Useful links:
PHDK Wiki
Paper describing the work so far - very technical
PHDK source code


What I need (so far):
  • Service manual for a K30 (or even a similar model). This would be really useful in understanding how all the debug functionality actually works
  • Datasheet for the MB91696AM or even a very similar ARM based CPU
  • Someone to tell me the offsets to icons/text images in the binary. This would rapidly increase the amount of functions I can find!

How you can help:
  • I will need testers. Be warned there is a small chance of bricking the camera...
  • I need people to help with the disassembly. You'll need a copy of IDA Pro (or maybe notepad - see below).
  • Anyone know anyone at Pentax / Ricoh. I'm considering dropping their marketing team an email.
  • Don't request features. At the moment there is only one feature - get custom code running on the device.
  • Don't request other cameras. I own a K30 and that's what I'm working on.

One of the big things is helping with decompilation of the firmware. It's too big to do alone. Given this I can dump a massive text file with all the functions in C-like code. If anyone has some programming background this might be a good way to help out. Is anyone interested? I still want to play nice with Pentax while i'm requesting their help so I will only PM out the file.

Big issues at present

Icons / text images (fonts)

There are very few strings in the main camera code. All the text is embedded in image data. I suspect that this is as RAW bitmap data directly in the firmware. It would be really useful to get the locations of at least one of these images, then I can find the rest. I'm not quite sure how to find them but The Gimp has an option of opening RAW files and changing the offsets into it. I've had a look but with not much luck.

Give me a few weeks and I hope to be at the point where I can write custom firmware which can then execute a file on the SD card containing additional functionality. I want to perform my code changes inside the debug mode routines, this should mean it's safer as this code is not called by default. At this point some brave soul will need to Flash their camera. Once that works all we will need to do is update the executable on the SD card. Well that's the idea any. Other options are to find a method in the existing debug routines which allow this or alternatively look for an exploit.

Brain dump over.

Attached Images
   

Last edited by Shodan; 01-20-2015 at 04:00 AM. Reason: Done some stuff
02-04-2014, 07:34 AM   #2
Pentaxian




Join Date: Jan 2011
Location: New York
Posts: 3,206
Thank you for taking on this task. I'm in the middle of changing jobs so can't offer any help.
02-04-2014, 07:38 AM   #3
Veteran Member
kcobain1992's Avatar

Join Date: Dec 2010
Location: Bucharest, Romania
Photos: Gallery
Posts: 1,409
Wow, looks like a massive project Wouldn't it be easier to just check assembly code, rather than decompile it into C?
02-04-2014, 08:17 AM - 1 Like   #4
Pentaxian




Join Date: Jan 2012
Location: Slovenia
Photos: Gallery
Posts: 2,164
OP I love you. Pretty sure we could get you a K-5 II and later a K-3 if enough people gather. I'm also pretty sure you're the first in a while who has managed to get anything out of the firmware.

After you find a way to hack K-30s I suggest a Kickstarter campaign for additional cameras.


Last edited by Giklab; 02-04-2014 at 08:24 AM.
02-04-2014, 08:18 AM - 1 Like   #5
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
QuoteOriginally posted by kcobain1992 Quote
Wow, looks like a massive project Wouldn't it be easier to just check assembly code, rather than decompile it into C?
The problems are the same. I have the expensive version of IDA Pro. Pressing F5 gives me C code.
02-04-2014, 08:19 AM   #6
Inactive Account




Join Date: Apr 2010
Location: New Orleans
Photos: Gallery
Posts: 3,053
QuoteOriginally posted by Shodan Quote
Source code for PK Tether.
I have decompiled PK Tether with Dot Peak from resharper. It is written in c#.

Free .NET decompiler :: JetBrains dotPeek

I also have a K30, a software developer (although I do mostly web applications in .NET and Java and databases rather than embedded systems), I will definitely be willing to work with you on this project. I will PM you with my e-mail address and we can discuss.

Last edited by mikemike; 02-04-2014 at 08:27 AM.
02-04-2014, 08:28 AM - 1 Like   #7
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
QuoteOriginally posted by mikemike Quote
I have decompiled PK Tether with Dot Peak from resharper. It is written in c#.

Free .NET decompiler :: JetBrains dotPeek

I also have a K30, a software developer (although I do mostly web applications in .NET and Java and databases rather than embedded systems), I will definitely be willing to work with you on this project. I will PM you with my e-mail address and we can discuss.
I've got the paid for version of RedGate Reflector. It's pretty simple but I would prefer the source if we can get it
02-04-2014, 08:55 AM   #8
Inactive Account




Join Date: Apr 2010
Location: New Orleans
Photos: Gallery
Posts: 3,053
Another bit of useful data might be wiresharking the FluCard when it comes out.

02-04-2014, 09:10 AM - 1 Like   #9
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
QuoteOriginally posted by mikemike Quote
Another bit of useful data might be wiresharking the FluCard when it comes out.
I've got a Transcend Wifi SD card in mine. It's rooted.
The controller chip means you can't actually access any of the IO transfer stuff
02-04-2014, 10:00 AM - 1 Like   #10
Pentaxian
Just1MoreDave's Avatar

Join Date: Feb 2007
Location: Aurora, CO
Photos: Gallery | Albums
Posts: 4,841
Always these little tasks at first, but then Shodan has you running all over the ship, deadly enemies chasing you, down to 12 shots of standard ammo. And look what happened to innocent Rebecca and Tommy. No way!
02-04-2014, 10:20 AM   #11
Pentaxian




Join Date: Jan 2012
Location: Slovenia
Photos: Gallery
Posts: 2,164
Just wanted to comment on the avatar, and then I see this ^ .
02-04-2014, 01:53 PM   #12
Site Supporter
jcdoss's Avatar

Join Date: Nov 2012
Location: Kansas City, MO
Photos: Gallery | Albums
Posts: 1,842
Pardon my ignorance, but what can be gained through this endeavor? Any gain of function for my K-30 and K/M lenses would be welcome, but what specific expectations do you have?
02-04-2014, 01:58 PM   #13
Pentaxian
JinDesu's Avatar

Join Date: Jun 2011
Location: New York City
Photos: Gallery
Posts: 5,625
QuoteOriginally posted by jcdoss Quote
Pardon my ignorance, but what can be gained through this endeavor? Any gain of function for my K-30 and K/M lenses would be welcome, but what specific expectations do you have?
Most likely the ability to activate features/functions that should have been available before - like focus peaking during video, manual controls in video beyond what is available, etc. Maybe similar to what Magic Lantern does.
02-04-2014, 02:04 PM   #14
Inactive Account




Join Date: Apr 2010
Location: New Orleans
Photos: Gallery
Posts: 3,053
QuoteOriginally posted by jcdoss Quote
Pardon my ignorance, but what can be gained through this endeavor? Any gain of function for my K-30 and K/M lenses would be welcome, but what specific expectations do you have?
Some of it is because you can, some of it is because there are little idiosyncrasies that will in all likelihood never get addressed by the manufacturer.

If you lack the imagination to see the possibilities, take a look at CHDK and Magic Lantern and all the cool ways they extend the default functionality of supported cameras.
02-04-2014, 02:47 PM - 1 Like   #15
Forum Member
Shodan's Avatar

Join Date: Feb 2014
Posts: 92
Original Poster
QuoteQuote:
Pardon my ignorance, but what can be gained through this endeavor? Any gain of function for my K-30 and K/M lenses would be welcome, but what specific expectations do you have?
Google CHDK and Magic Lantern.
Reply

Bookmarks
  • Submit Thread to Facebook Facebook
  • Submit Thread to Twitter Twitter
  • Submit Thread to Digg Digg
Tags - Make this thread easier to find by adding keywords to it!
bit, camera, card, chdk, code, data, debug, dslr, file, firmware, flash, fp, gps, instruction, k-30, k-50, k30, love, magic, module, notes, pentax, photography, pin, pins, sd, text
Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads
Thread Thread Starter Forum Replies Last Post
NY area SDM Hacking dappercorpmonkey Troubleshooting and Beginner Help 11 07-26-2013 04:15 PM
Nature Resurrecting some old images - Angry Birds! Julie Post Your Photos! 4 03-07-2013 10:41 AM
k-5 firmware hacking anyone? secateurs Pentax K-5 33 10-05-2012 03:05 PM
Hacking lens' memory plis Visitors' Center 6 11-28-2011 10:58 PM
Resurrecting a MX and Super ME LiMPiNg Pentax Film SLR Discussion 4 09-27-2011 02:55 PM



All times are GMT -7. The time now is 05:41 PM. | See also: NikonForums.com, CanonForums.com part of our network of photo forums!
  • Red (Default)
  • Green
  • Gray
  • Dark
  • Dark Yellow
  • Dark Blue
  • Old Red
  • Old Green
  • Old Gray
  • Dial-Up Style
Hello! It's great to see you back on the forum! Have you considered joining the community?
register
Creating a FREE ACCOUNT takes under a minute, removes ads, and lets you post! [Dismiss]
Top